UmbreCrypt Ransomware manually installed via Terminal Services

A new CrypBoss ransomware variant has been released called UmbreCrypt. This ransomware family encrypts a victim's data with AES encryption and then requires them to email the developers for payment instructions. At this time there is no way to decrypt these files for free, but Fabian Wosar of Emsisoft is looking into modifying his current CrypBoss decrypter to work with this variant.

I have been told by numerous victims that they feel UmbreCrypt was manually installed through hacked terminal services or remote desktop. If you are infected with this ransomware, it is advised that you check your Windows event logs for failed login attempts to try and determine the account that was compromised.

Update 2/10/16 11:25 AM EST: Previous variants of this ransomware, such as HydraCrypt, have been shown to be distributed via exploit kits. So it is not 100% sure if the distribution method is indeed hacked terminal services. Apologies for the unintentional clickbait. Still waiting word back from various victims to confirm.

The UmbreCrypt Encryption Process

When installed, UmbreCrypt will scan the C, D, E, F, G, and H drives on a computer for data files that match a particular extension. If it detects a targeted extension it will encrypt the files using AES encryption and append the umbrecrypt_ID_[victim_id] extension to the encrypted file. For example, the file Chrysanthemum.jpg would become Chrysanthemum.jpg.umbrecrypt_ID_abdag113.

UmbreCrypt also uses a directory name whitelist where any files that contain that directory name in their path will not be encrypted. The folders that are whitelisted are:

Windows, Program Files, PROGRAM FILES, Program Files (x86), PROGRAM FILES (x86), WINDOWS, ProgramData

For each folder that a file has been encrypted, UmbreCrypt will also create a ransom note named README_DECRYPT_UMBRE_ID_[victim_id].txt.

When the program has finished encrypting the data it will display a ransom screen that provides information on what has happened to the victim's files. This information will also contain instructions that tell the victim they must send an email to the ransomware developers in order to receive payment information.

UmbreCrypt Ransom Screen

These instructions tell the victim to send their unique ID to umbredecrypt@engineer.com or umbrehelp@consultant.com and to wait for a "specialist" to get back to them with payment instructions.

At this time there is no way to recover the files for free, but we always suggest users try a program like ShadowExplorer to attempt to recover files via the Shadow Volume Copies. If a decrypter is released, we will be sure to post about it at the site.

Lawrence Abrams is the creator and owner of BleepingComputer.com. Lawrence's area of expertise includes malware removal and computer forensics. Lawrence Abrams is a co-author of the Winternals Defragmentation, Recovery, and Administration Field Guide and the technical editor for Rootkits for Dummies.

Comments

I was infected with the .LeChiffre virus. Are there any links for removing this virus and unencrypting my files? Ransom link states any attempt to remove it will render my file permanently useless. Thanks.

Decrypter for HydraCrypt and UmbreCrypt available
In Emsisoft Lab by Fabian on February 12, 2016 | English, Deutsch

Our research team became aware of two new malware families being distributed via exploit kits earlier this month: HydraCrypt and UmbreCrypt. After a quick analysis it turned out that both families are closely related to the CrypBoss ransomware family whose source code leaked onto PasteBin last year. While HydraCrypt and UmbreCrypt both change some of the implementation details in the encryption scheme, the original flaw that allowed us to break CrypBoss last year allowed us to break both HydraCrypt and UmbreCrypt as well.